From owner-freebsd-doc@FreeBSD.ORG Wed Sep 4 09:40:42 2013 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7DA41628 for ; Wed, 4 Sep 2013 09:40:42 +0000 (UTC) (envelope-from olevole@olevole.ru) Received: from mail-lb0-f181.google.com (mail-lb0-f181.google.com [209.85.217.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 04D16235F for ; Wed, 4 Sep 2013 09:40:41 +0000 (UTC) Received: by mail-lb0-f181.google.com with SMTP id u14so154904lbd.40 for ; Wed, 04 Sep 2013 02:40:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version:content-transfer-encoding:content-type; bh=pMbtpV1H7bdh8dJaWA/TKFz9S4DCWFcMe2T2vYcBQ6Y=; b=GsZ1tTelsvDN0IGWTs3o41WufXZRoxMDSlpLHJhaGbLpd4yV62+/tk99G7URS5jlmI OchGiyYLfoggHo71E1zH9cd2ykV3P1KZezVz5GkdY+d3PMoE+EIAKk2+nyo3EPXLrrVl qtCnC6yQ6D1Wf677vgbmZaQuw97Dz6oKLC3AsljrCP+f7u/hJtGak5d5vIPdK1gohaBF D/XgvA/8wdG/V5WTPzUkZiWdKYo+loxl5tQDuqKMyWKAVlGFK6WIKnKdmECJJz4aHdtT HNfXhCCuvgFqz5O5R0sZV/ve4yXIOx3SkxKs/9YLVCmolUCXd4n2AzoJw4VaO1iu4tDQ QcAw== X-Gm-Message-State: ALoCoQmMh/KeSTJoLfN8xublCXNET4wmT+6w9FhKhwYX+8c9EY8J04RyfsnMa9RNlAv9ToAOcN+M X-Received: by 10.152.30.74 with SMTP id q10mr1838116lah.27.1378287634318; Wed, 04 Sep 2013 02:40:34 -0700 (PDT) Received: from gizmo.nevosoft.local (ip-195-182-142-52.clients.cmk.ru. [195.182.142.52]) by mx.google.com with ESMTPSA id f17sm10163232lbo.12.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Sep 2013 02:40:33 -0700 (PDT) From: olevole To: freebsd-doc@freebsd.org, freebsd-jail@freebsd.org Subject: handbook chapter for jail best practices needs for security remark Date: Wed, 04 Sep 2013 13:40:31 +0400 Message-ID: <2169287.FiyytKgDHO@gizmo.nevosoft.local> User-Agent: KMail/4.10.5 (FreeBSD/10.0-CURRENT; KDE/4.10.5; amd64; ; ) MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 09:40:42 -0000 Mounting directory via nullfs when RW part mounted above RO from one filesystem is insecure for RO location, because it allows you to edit a file by hardlink on RO place, due to the fact that the files have one inode. For example (by root user): % mkdir /usr/chroot % bsdinstall jail /usr/chroot % mount_nullfs -oro /bin /usr/chroot/bin % mkdir /rw % mount_nullfs /rw /usr/chroot/root % chroot /usr/chroot % touch /bin/date touch: /bin/date: Read-only file system % cd ~ % ln /bin/date % ls -i /bin/date /root/date 58182 /bin/date 58182 /root/date (open /root/date in vi editor and change something) % vi date dd :wq! (logout from chroot) % exit (now /bin/date is corrupted) % /bin/date /bin/date: Exec format error. Binary file not executable. Such scheme when the RW data is overlaid above RO data is popular for jail hosting and described in Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html Perhaps it is worth mentioning in the article about the need to separate base to cross-device storage or place it on a read-only system.